ftp server question

Rick Merrill <> wrote:

> Maybe you can tell us HOW these attackers find the IP numbers of
> systems that are running FTP (or others services) ???

Too easy. Nmap is more than capable of scanning huge chunks of the net
for specific services and spitting out nicely formatted lists. And I'd
wager there's specialized software for people who are too script kiddie
to figure out nmap.

The standard practice as I understand it is to run your scans and sit
on the results for a while, or trade them with your buddies. Then some
time later or from another location launch your "attack" so that it's
harder to figure out where it's really coming from.

That innocent looking port scan you see in your firewall today could
very likely be the precursor to the attack you're going to experience
next month.

TwistyCreek

TwistyCreek wrote:

> Rick Merrill <> wrote:
>
>
>>Maybe you can tell us HOW these attackers find the IP numbers of
>>systems that are running FTP (or others services) ???
>
>
> Too easy. Nmap is more than capable of scanning huge chunks of the net
> for specific services and spitting out nicely formatted lists. And I'd
> wager there's specialized software for people who are too script kiddie
> to figure out nmap.
>
> The standard practice as I understand it is to run your scans and sit
> on the results for a while, or trade them with your buddies. Then some
> time later or from another location launch your "attack" so that it's
> harder to figure out where it's really coming from.
>
> That innocent looking port scan you see in your firewall today could
> very likely be the precursor to the attack you're going to experience
> next month.
>

So anyone running an open FTP server has probably already been 'found
out' but not everyone runs a log and even fewer probably check it!

THe only account they have tried Does Not Exist!

Is a VPN the only way to protect against this scanning?

Rick Merrill

Rick Merrill wrote:

> >>Maybe you can tell us HOW these attackers find the IP numbers of
> >>systems that are running FTP (or others services) ???
> >
> >
> > Too easy. Nmap is more than capable of scanning huge chunks of the
> > net for specific services and spitting out nicely formatted lists.
> > And I'd wager there's specialized software for people who are too
> > script kiddie to figure out nmap.
> >
> > The standard practice as I understand it is to run your scans and
> > sit on the results for a while, or trade them with your buddies.
> > Then some time later or from another location launch your "attack"
> > so that it's harder to figure out where it's really coming from.
> >
> > That innocent looking port scan you see in your firewall today could
> > very likely be the precursor to the attack you're going to
> > experience next month.
> >
>
> So anyone running an open FTP server has probably already been 'found
> out' but not everyone runs a log and even fewer probably check it!

Anyone running any sort of server is likely to be 'found out' in a
matter of minutes. Hours at the outside. I run SSH, a small web daemon,
and local delivery only SMTP/IMAP servers here. I have rate limiting on
the SSH server, so it only gets attacked once every three minutes tops.
This makes most of the SSH brute force bots go away. The web server gets
probed for vulnerable CGI all the time even though it's configured to
flatly disallow CGI. When I opened up the port for the SMTP server it
took about 45 seconds to see my first attempt to use it as a relay, and
from that point on I got a pretty steady stream. At least 40 to 50
tries a day, usually more. I don't run FTP because I have that ability
via SSH (sFTP), bit I use to and got hoards of failed login attempts
in those logs too.

So yeah, if you have something actually responding on a port it's
"normal" for people to be trying to crack it. Not right mind you, but
normal.

99.99% of this stuff is automated script kiddie crap, so a little
attention to your configuration like not accepting mail for non-local
delivery and keeping stuff patched/updated is sufficient to keep the
buggers at bay. Other than that just use good strong passwords when
applicable, and you should be fine.

In my humble opinion, if you're not "mentally prepared" for the
possibility that you will be owned, then it's a good idea not to run
the services to begin with. Just relax and take care of business, That
way you won't make as many mistakes.

> THe only account they have tried Does Not Exist!

Typical script/automated or dictionary attacks. See them every day. And
as long as you're actually seeing them you know your firewall/logging
is working. After a while it's almost reassuring to see the attempts.
I'd flip out big time if I opened my mail logs and didn't see a whole
slew of 'REJECT' entries. It would mean the daemon died, or someone
broke in. The former is better than the latter, but neither one is a
particularly good thing.

> Is a VPN the only way to protect against this scanning?

No, shutting off the services and/or blocking the ports is the only
way.

A VPN will certainly add a layer of protection and obfuscate the fact
that services are running, yes. It will also place a burden on your
"clients" or users. If that's not a problem the it's a great idea to
just tunnel everything through a VPN. If you need access from anywhere
or by a varying clientele, then it may be problematic or outright
impossible.

Borked Pseudo Mailed

Borked Pseudo Mailed wrote:

> Rick Merrill wrote:
>
>
>>>>Maybe you can tell us HOW these attackers find the IP numbers of
>>>>systems that are running FTP (or others services) ???
>>>
>>>
>>>Too easy. Nmap is more than capable of scanning huge chunks of the
>>>net for specific services and spitting out nicely formatted lists.
>>>And I'd wager there's specialized software for people who are too
>>>script kiddie to figure out nmap.
>>>
>>>The standard practice as I understand it is to run your scans and
>>>sit on the results for a while, or trade them with your buddies.
>>>Then some time later or from another location launch your "attack"
>>>so that it's harder to figure out where it's really coming from.
>>>
>>>That innocent looking port scan you see in your firewall today could
>>>very likely be the precursor to the attack you're going to
>>>experience next month.
>>>
>>
>>So anyone running an open FTP server has probably already been 'found
>>out' but not everyone runs a log and even fewer probably check it!
>
>
> Anyone running any sort of server is likely to be 'found out' in a
> matter of minutes. Hours at the outside. I run SSH, a small web daemon,
> and local delivery only SMTP/IMAP servers here. I have rate limiting on
> the SSH server, so it only gets attacked once every three minutes tops.
> This makes most of the SSH brute force bots go away. The web server gets
> probed for vulnerable CGI all the time even though it's configured to
> flatly disallow CGI. When I opened up the port for the SMTP server it
> took about 45 seconds to see my first attempt to use it as a relay, and
> from that point on I got a pretty steady stream. At least 40 to 50
> tries a day, usually more. I don't run FTP because I have that ability
> via SSH (sFTP), bit I use to and got hoards of failed login attempts
> in those logs too.
>
> So yeah, if you have something actually responding on a port it's
> "normal" for people to be trying to crack it. Not right mind you, but
> normal.
>
> 99.99% of this stuff is automated script kiddie crap, so a little
> attention to your configuration like not accepting mail for non-local
> delivery and keeping stuff patched/updated is sufficient to keep the
> buggers at bay. Other than that just use good strong passwords when
> applicable, and you should be fine.
>
> In my humble opinion, if you're not "mentally prepared" for the
> possibility that you will be owned, then it's a good idea not to run
> the services to begin with. Just relax and take care of business, That
> way you won't make as many mistakes.
>
>
>>THe only account they have tried Does Not Exist!
>
>
> Typical script/automated or dictionary attacks. See them every day. And
> as long as you're actually seeing them you know your firewall/logging
> is working. After a while it's almost reassuring to see the attempts.
> I'd flip out big time if I opened my mail logs and didn't see a whole
> slew of 'REJECT' entries. It would mean the daemon died, or someone
> broke in. The former is better than the latter, but neither one is a
> particularly good thing.
>
>
>>Is a VPN the only way to protect against this scanning?
>
>
> No, shutting off the services and/or blocking the ports is the only
> way.
>
> A VPN will certainly add a layer of protection and obfuscate the fact
> that services are running, yes. It will also place a burden on your
> "clients" or users. If that's not a problem the it's a great idea to
> just tunnel everything through a VPN. If you need access from anywhere
> or by a varying clientele, then it may be problematic or outright
> impossible.
>

"rate limiting" - upload speed from FTP server is limited to 43KB, but
it doesn't slow the door-knob twisters. What is the SSH rate limiting?

All users can be id'd by IP address easily and in advance. Therefore
What VPN is the easiest to install (on both ends)?

Rick Merrill

Rick Merrill wrote:

> > daemon, and local delivery only SMTP/IMAP servers here. I have rate
> > limiting on the SSH server, so it only gets attacked once every
> > three minutes tops. This makes most of the SSH brute force bots go

<snip>
> "rate limiting" - upload speed from FTP server is limited to 43KB,
> but it doesn't slow the door-knob twisters. What is the SSH rate
> limiting?

OK that was way misleading. My fault. What I was trying to say was
that my firewall monitors new connections, and if too many attempts are
made to establish a new connection to my SSH server within a certain
period of time, access to the SSH server is shut off for a while.

When someone tries this dictionary attack crap they're doing nothing
but trying to establish one connection after another. If the password
is wrong, the connection is never fully established. Many/most
firewalls are able to tell the difference between established, and new.
It's called being "stateful". Knowing about the "state" of a
connection.

So "rate limiting" was a little misleading, especially since you're in
that frame of mind (rightfully so) where it means constraining
throughput. But in effect, what I do at the firewall is "rate limit"
the number of failed connection attempts to 3 in any 60 second period
of time, with a 10 minute "break" in between. Or something like that,
it's been so long since I set it up I could be off on the exact
timing.

> All users can be id'd by IP address easily and in advance. Therefore
> What VPN is the easiest to install (on both ends)?
>

Well, I'm not a Windows guy so I might not be the best person to answer
this. But As I understand it WinXP has it's own "built it" VPN client.
It would of course talk to the Windows "server" version, although I
don't know what you need for that. Have no clue if XP will serve
connections this way or not. But it would certainly be the easiest as
far as clients are concerned, assuming the standard distribution of
Windows boxen.

If it were me, the answer would be easy. OpenVPN. This might be a
solution for you too, as I said, I have no clue what Windows will do as
far as VPN goes. Sorry.

Borked Pseudo Mailed

Borked Pseudo Mailed wrote:

> Rick Merrill wrote:
>
>
>>>daemon, and local delivery only SMTP/IMAP servers here. I have rate
>>>limiting on the SSH server, so it only gets attacked once every
>>>three minutes tops. This makes most of the SSH brute force bots go
>
>
> <snip>
>
>>"rate limiting" - upload speed from FTP server is limited to 43KB,
>>but it doesn't slow the door-knob twisters. What is the SSH rate
>>limiting?
>
>
> OK that was way misleading. My fault. What I was trying to say was
> that my firewall monitors new connections, and if too many attempts are
> made to establish a new connection to my SSH server within a certain
> period of time, access to the SSH server is shut off for a while.
>
> When someone tries this dictionary attack crap they're doing nothing
> but trying to establish one connection after another. If the password
> is wrong, the connection is never fully established. Many/most
> firewalls are able to tell the difference between established, and new.
> It's called being "stateful". Knowing about the "state" of a
> connection.
>
> So "rate limiting" was a little misleading, especially since you're in
> that frame of mind (rightfully so) where it means constraining
> throughput. But in effect, what I do at the firewall is "rate limit"
> the number of failed connection attempts to 3 in any 60 second period
> of time, with a 10 minute "break" in between. Or something like that,
> it's been so long since I set it up I could be off on the exact
> timing.
>
>
>>All users can be id'd by IP address easily and in advance. Therefore
>>What VPN is the easiest to install (on both ends)?
>>
>
>
> Well, I'm not a Windows guy so I might not be the best person to answer
> this. But As I understand it WinXP has it's own "built it" VPN client.
> It would of course talk to the Windows "server" version, although I
> don't know what you need for that. Have no clue if XP will serve
> connections this way or not. But it would certainly be the easiest as
> far as clients are concerned, assuming the standard distribution of
> Windows boxen.
>
> If it were me, the answer would be easy. OpenVPN. This might be a
> solution for you too, as I said, I have no clue what Windows will do as
> far as VPN goes. Sorry.
>

what you describe may be EXACTLY what I want: a transparent firewall
that detects successive login attempts then prohibits access for,say,
10 minutes. One thing tho: what I need is a passthrough :
strangers<-->Cable<==>modem<==>router<==>firewall<==>server< -->legit users

Rick Merrill